The Drugslist Lesson: Why Marketplace Security should not be taken lightly! (Complete Timeline)

This is one of the saddest of the latest stories, a marketplace who did not take the security warnings seriously and rather deny than fix, luckily, in this case no harm was done yet, beside the ruining of the drugslist marketplace reputation, but this is a lesson that should be learned by all marketplace admins. address all issues, not matter how small you think they are.

We bring you here the complete timeline of the events – Full credit goes to the_avid for helping us organize this huge amount of information into a clear chain of events:

So this is how it began…

1. Gwern and TMPSchultz (Themarketplace.i2p admin) take issue with Drugslist’s implementation of multi-sig (which we have reported before on this site) which really isn’t multi-sig (was referred as multisig lite by drugslist. This was posted in this thread

2. The user magnus0 finds a simple sql injection in the registration form that allows him to signup without an invite code. That might sound benine, but the implication of an SQL Injection is that you have complete control of the database, he just chose to use it to register to prove his point. This is all done in private messages, since he just wanted to get the issue fixed. Drugslist pay him $14 and minimize the impact of the bug (it is very common in these circles to be paid for bugs, it isn’t out of the ordinary to ask for a bounty and most vendors would pay a bounty, since it is good practice). This private conversation leads mangus0 to post this thread, This is the Pm exchange between them:

3. At this point, some of the Darknet markets mods and drugslist admin are beating up magnus0 in his thread – as are a lot of other users who join in, not realizing the issue is serious. Magnus0 throws in the towel and leaves.

4. 6-8 hours later another user – the_avid is coming on the Darknetmarkets sub and find the thread where drugslist announce their API, which he finds little interest in. At this point (as he told us) he knew little about drugslist – and had done not much more than sign up and click a few links perhaps 2 weeks earlier.

5. The same user – the_avid, reading the post from Drugslist about their full multisig api noticing on 2nd paragraph ‘client-side PGP’ and can’t believe what hes reading, he than continue to check their site and see they are doing PGP in web forms – a big no-no, so he posts this comment:

6. Then, he started getting into a ridiculous back and forward with drugslist. In 99% of cases you’d report something like this, you would expect the admin to fix it and would move on, but drugslist persisted. then the_avid noticed the API implementation.Note: A bit of background on that. The API implementation they are using is called jsonRPC and is used in bitcoin. But when used with bitcoin it only accesses a local server on the same computer, it isn’t meant to be used over the internet – not even over tor, since it isn’t a secure design. the_avid points out the poor API design as well, and again this is denied by drugslst.

7. Now It is pretty clear at this point that drugslist doesn’t even understand the issues that’s being reported to him, so as it was explained to us by the_avid he is being puzzled as to why Drugslist admin defending them so vigorously. He eventually concedes that implementing PGP in the browser can be unsafe (although he concedes this point for the wrong reason), but by this point he became more curious as to who this drugslist guy is and why he was behaving in that way. than, by looking through his comment history and only need to scroll down half a page to see this comment from him on an earlier thread:

It was said in the post:

It’s also safe guard, and one of the many we have to reduce our members risk (others include: auto-withdrawal, client side PGP,shipping methods with concrete time frames and selected membership).

As its was explained to us: “In that thread he was pitching what is a security vulnerability as a security feature, which was just amazing.”

8. As further check trough Drugslist post history was done it was easy to note that hes entire comment history for the past 3 days is filled with arguments with other people who are reporting either security or technical issues to him.

9. In the words of a the_avid: “My jaw dropped when I saw the SQL injection thread (‘thanks for the beer’ thread) and how stupid and simple a bug it was”. he than went on and message magnus0 and told him “i’m going through the same thing as him with drugslist, and pointed him to my PGP thread.”

10. The user the_avid then decided to checkout the drugslist site himself, using hes own registration from 2 weeks earlier. he tested a half-dozen parameters on 3 different pages – the types of pages that usually have these bugs (search, product page, etc.) he finds that not a single one of them is properly handling input, which means they are also vulnerable to SQL injection.

he than goes on and pm drugslist and say: “you need to stop arguing, your site is a mess – i just found injection points on the search and product pages. take your site down”

11. With a few more minutes of investigating he got the server to leak debug info and quickly worked out how this site had been put together. he did an online search for project job listings and found a listing on the clearnet that he believed was Drugslist hiring developers to build his site (the cheap ‘program me a website’ type marketplaces).

12. than the_avid message him to tell him that he is just a couple of clicks away from doxxing him, and tell him that he know that he hired cheap offshore/contract labour to build his site. Drugslist pm’s him with ‘do you have torchat, I want to speak to you about that’. I reply with ‘no, I only do jabber + OTR’. then went to bed at this point.

13. The next day apparently Drugslist posted a thread in a private subreddit that only vendors can access (we can confirm this, as we saw this thread) for everybody to ‘be wary’ of the_avid because he is law enforcement. his evidence was that he insisted on chatting to him over jabber (he didn’t realize that jabber runs over tor and is encrypted end-to-end) rather than torchat. he didn’t mention that it was he who wanted to speak to him.

14. A vendor takes a screenshot of that post and sends it to the_avid. In the meantime he is also speaking to the mods about Gabralkhan and his behavior in all this. when he strongly suspect that Gabralkhan and drugslist are the same person or that he is involved in the site. (which is NOT true, and it is now well confirmed with everyone, and also us in DeepDotWeb are vouching for Gabralkhan’s integrity)

15. At that point because of his LE post and that constant harassment and negative comments and denials from both Gabralkhan (who the_avid consider to be a part of Drugslist) and Drugslist the_avid decide that he is no longer going to work with them privately to fix bugs, but that he is going to do a complete writeup and let everyone know about all the bugs All posted in this thread (too long to quote, just see there).

16. He than went on and left a ton of details and bugs out of that description because he was trying to keep it brief (!). He believed that Gabralkhan’s first comment in that thread was insulting him because he wanted to chat to drugslist over jabber:

17. at that point drugslist steps in, and he attempted the same but despite floating all sorts of conspiracy theories (that the_avid work for TMP, that magnus and the_avid are the same person, etc.) and a lot of weird stuff none of what he was saying was taking hold much with readers apparently.

18. For the grand finale – Drugslist created a username ‘drugslist_developer’ and attempting a mea culpa, but at this point, everyone saw through that – in this thread:

19. Than as if it wasnt enough already, the final blow landed – as magnus0 posted a thread (that was later deleted, but we had it screenshot), in the “we hacked tormarket DPR Style” and dumping all the usernames data from Drugslist Database, proving the world that it is in fact, very vulnerable to hacking:

The Thread that was later deleted

Small portion of the dumped usernames – we confirmed the list is real by finding a unique user we created on Drugslist

20. Later, when we thought this could not get any worse in any way – it has brought to our attention that the hacker himself (Magnus0) was doxxed (probably by someone from drugslist staff?), and we received a copy of the full details, obviously we blacked them out:

{We have remove the Blacked Out Doxx – since it was too much revealing anyway, and by now the point was made}

The reason that we post this is it could stop a bunch of innocent users’ information from being released or held hostage for money from the owners of DrugsList. it makes it less likely it is that Magnus0 will release the information he has on DrugsList users.

====

We have asked the_avid by he did not start by hacking them to prove hes point and make this long story short, he replied:

the reasons why I didn’t hack them:

Showing that parameters aren’t being filtered properly is easy – I do that with nothing more than a web browser and the development console. Developing that further into an exploit can take anywhere from 2-48 hours since you need to go through a process of discovering their database schema

In 99% of security reports that initial test is all you need to show there is a bug, it is commonly accepted amongst most programmers that it is proof enough

My interest is in protecting users and vendors, I don’t really want to take advantage of their data and privacy to prove a point against a marketplace

I felt I had enough in my post in any case – anybody impartial would see it for what it is. I’d prefer these things are settled without user and vendor data being used as ammo.

—

Let this be a warning for all admins, please for the benefit of your vendors and users, your Marketplace Security should not be taken lightly! address and fix every issue, even the ones you think are small.

Would be interested in hearing how much they payed where he said kudos to DL for paying up? The thread was deleted. He asked for a real amount or was it the 20$ that was mentioned earlier? Good job eitherway, admins/sites that dont take security seriously can get fucked.